This blog post is part 3 of my series on how to decrypt HTTPS traffic on your own network.
If you’ve been following from part 2, we have a tarball containing all the certificate and private key formats mitmproxy requires. Once we install mitmproxy and place the tarball files in the right directory, we will be ready to decrypt some HTTPS traffic.
Installing and configuring mitmproxy
To install mitmproxy under Ubuntu 16.04 we have to run
$ sudo apt install mitmproxy $ mitmproxy --version mitmproxy 0.15
Now that mitmproxy is installed, you can extract the tarball so that mitmproxy can use your intermediate CA.
The following commands assume the
mitmproxy.tgz file is in the home directory, and can be accessed via
$ mkdir -p ~/.mitmproxy $ tar xzf ~/mitmproxy.tgz -C ~/.mitmproxy $ ls -1 ~/.mitmproxy mitmproxy-ca-cert.cer mitmproxy-ca-cert.p12 mitmproxy-ca-cert.pem mitmproxy-ca-key.pem mitmproxy-ca.pem
The certificates are now available to mitmproxy. Run
mitmproxy so you can import the certificate into Firefox. You will now see the main mitmproxy screen.
We can now begin intercepting Firefox’s HTTPS traffic by importing the Intermediate CA that mitmproxy is now using.
Preferences > Advanced > Network
- Click on
Manual proxy configuration
- Check the box that says
Use this proxy server for all protocols
Once Firefox has the proxy configured, you can load the mitmproxy test page (http://mitm.it) to make sure the settings are valid. If you somehow misconfigured the proxy you should see the first screenshot, and if you configured the proxy properly you should see the second.
You’ve verified the configuration is correct, now import the Intermediate CA into Firefox
- Click on the link that says
- Click on
Trust this CA to identify websites
- (Optional) Click on the
Viewbutton next to
Examine CA certificateto make sure that the certificate is the one we created. The CN of the certificate should be
Your MITM CA
Intercepting traffic with mitmproxy
Now you’re ready to start intercepting and decrypting HTTPS traffic. Let’s load https://example.com in Firefox. Although the traffic was encrypted via HTTPS, mitmproxy has intercepted and decrypted the request on-the-fly.
We can further investigate the request by pressing
[ENTER] then hitting
[TAB] to view the response the server sent for our GET request. You can see the decrypted response headers and body. The body is a gzip encoded payload, which mitproxy has decoded for us, and we can plainly see that it is an HTML document. Hitting
[TAB] one more time will bring us to the TLS connection details. As you can see in the
detail tab, the issuing CA for example.com’s certificate is Digicert. Once the page gets loaded in Firefox, the CA that encrypted your connection is
Your MITM CA which we expected since we are performing man-in-the-middle attack on the browser.
If you keep mitmproxy open during a regular browsing session you will start to see what kind of traffic Firefox sends to and receives from servers. Although you could use the built-in debugger tool to see these requests by pressing
F12, the debugger might miss some requests from extensions, and the pings Firefox makes to mozilla to check for extension updates, error reporting and others.
These are just the basics of what you can do with mitmproxy. If you want to learn more consult the mitmproxy documenation. You’ve now seen a practical use for a self-issued intermediate CA to easily decrypt HTTPS traffic in Firefox. The next blog post will use our current mitmproxy setup to intercept traffic for an Android device. Stay tuned!